You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/21 05:20:00 UTC
[jira] [Updated] (FLINK-27728) dockerFile build results in five vulnerabilities
[ https://issues.apache.org/jira/browse/FLINK-27728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated FLINK-27728:
-----------------------------------
Labels: pull-request-available (was: )
> dockerFile build results in five vulnerabilities
> ------------------------------------------------
>
> Key: FLINK-27728
> URL: https://issues.apache.org/jira/browse/FLINK-27728
> Project: Flink
> Issue Type: Bug
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-0.1.0
> Reporter: James Busche
> Assignee: James Busche
> Priority: Major
> Labels: pull-request-available
> Fix For: kubernetes-operator-1.0.0
>
>
> A Twistlock security scan of the default flink-kubernetes-operator currently shows five fixable vulnerabilities. One [~wangyang0918] and I are trying to fix in [FLINK-27654|https://issues.apache.org/jira/browse/FLINK-27654].
> The other four are easily addressable if we update the underlying OS. I'll propose a PR for this later this evening.
> The four vulnerabilities are:
> 1. packageName: gzip
> severity: Low
> cvss: 0
> riskFactors: Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1271]
> Description: DOCUMENTATION: No description is available for this CVE. STATEMENT: This bug was introduced in gzip-1.3.10 and is relatively hard to exploit. Red Hat Enterprise Linux 6 was affected but Out of Support Cycle because gzip was not listed in Red Hat Enterprise Linux 6 ELS Inclusion List. [https://access.redhat.com/articles/4997301] MITIGATION: Red Hat has investigated whether possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
> 2. packageName: openssl
> severity: Critical
> cvss: 9.8
> riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-1292]
> Description:
> The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
> 3. packageName: zlib
> severity: High
> cvss: 7.5
> riskFactors: Attack complexity: low,Attack vector: network,Has fix,High severity
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2018-25032]
> Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
> 4. packageName: openldap
> severity: Critical
> cvss: 9.8
> riskFactors: Attack complexity: low,Attack vector: network,Critical severity,Has fix,Recent vulnerability
> CVE Link: [https://security-tracker.debian.org/tracker/CVE-2022-29155]
> Description: In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)